It’s been a year since the Equifax data breach, impacting 147 million Americans and widely considered to be the largest consumer data breach in U.S. history. Because Equifax didn’t use strong, consistent encryption methods to protect the data they stored, hackers were able to locate and exploit a known bug in the Equifax framework to steal this information. Data breaches aren’t uncommon; several national corporations, including Home Depot and Target, have been hacked in recent years. There isn’t much we can do as individuals to control how these large companies and institutions protect our financial and personal data, but we can take steps to guard against breaches at home. Specifically, we’re going to look at phishing scams and how to avoid being tricked.

Phishing is a form of cyber attack in which the hacker tries to obtain your information by tricking you into disclosing it yourself. They can do this by contacting you in any of several different ways:

Email (both work and personal)

Text

Social media (Facebook Messenger, Instagram, Twitter, LinkedIn, etc.)

Phone

Via email: A phishing email works in one of two ways: convincing you either to disclose your sensitive information or to click on a link or attachment that contains malware. SPOILER ALERT: Your bank/credit card company will never email you to verify your password or account information. Neither will Amazon, eBay, Apple, Microsoft, the IRS, or pretty much any other institution. They will not send you attachments, so don’t click on any.

Via text: Gmail, Hotmail, and Yahoo never ask if you don’t want to do something with your account. If you receive a text asking you about a password reset on your account and you didn’t request to reset the password, ignore the text. Don’t even reply—that will only let the scammers know they reached a working cell phone number so they can try again.

Via social media: There have been reports of Facebook users receiving messages from their contacts that consist of an .SVG image file that looks like a photo. Clicking on the file redirected the users to a fake YouTube page with prompts to add “browser extensions” in order to view the video. When users clicked the prompts, they inadvertently installed malware on their computers that allowed the scammers access to all the users’ Facebook friends. Similar scams have appeared on Instagram, Twitter, and LinkedIn. There are other social media phishing attempts out there, but this is the current big one.

Via phone: If you get a call from Microsoft, the IRS, China, etc.—you’re not getting a legitimate call. Hang up and, if you can, block the number.

Also: Attacks have been reported on Venmo and PayPal digital payment accounts. In the most common attack, the user (you) receives a legitimate-looking text or email that claims there’s been suspicious activity on their account and directs the user to provide updated information to avoid fraudulent charges. Another popular method does essentially the same thing but tells the user “Your payment could not be completed,” and prompts the user to provide the information. Pretty sneaky, right?

Be paranoid. Never login to any website you reach by clicking a link in an email. Even if it looks authentic. Even if it doesn’t look like a link—for instance, a button in the email that says, “Verify information now.” The button is a link and clicking it will not end well for your security.

Lessons to live by

Do not trust the link.

No legitimate request for your username/password will come through an unsolicited email or text.

If you’re not expecting an email and you know the sender: call or text them. If you don’t have their number, use a different email or messaging program to ask them if they really sent it. Do not reply to the email.

If you’re not expecting it and you don’t know the sender: delete it. Better safe than sorry.

Awareness is key. Scammers are shrewd, but you don’t have to be tech-savvy to outwit them.